Announcing NGINX Plus R11

We are excited to announce the availability of NGINX Plus Release 11 (R11). With this release we are providing a number of new features in NGINX Plus to make the product easier to extend and customize, and to support an even broader range of deployments.

NGINX Plus R11 introduces binary compatibility for dynamic modules. This means that dynamic modules that have been compiled against the open source NGINX software can be loaded into NGINX Plus.

You can leverage the large number of third‑party NGINX modules to extend and add functionality to NGINX Plus, drawing from a range of open source and commercially produced modules. Developers can create custom extensions, add‑ons, and new products based on the supported NGINX Plus core.

NGINX Plus R11 also adds a number of other enhancements:

  • Improved TCP/UDP load balancing – New features include SSL server name routing, new logging functionality, additional variables, and improved PROXY protocol support. These new features enhance debugging capabilities and enable you to support a broader range of enterprise applications.
  • Better geolocation by IP address – The third‑party GeoIP2 module is now certified and provided to NGINX Plus customers. This new version provides localized and richer location detail than the original GeoIP module.
  • Enhanced nginScript module – nginScript is the next‑generation configuration language for NGINX Plus, based on JavaScript. New features enable you to modify request and response data on the fly in the Stream (TCP/UDP) module.

 

NGINX Plus R11 in Detail

Binary Compatibility for Dynamic Modules

The NGINX community has developed a wide range of module extensions to open source NGINX – security solutions, authentication modules, even complete application runtime environments such as Lua.

We build and maintain some of these third‑party modules for NGINX Plus, updating them with each release and distributing them via our NGINX Plus repository. These builds are certified to work correctly with NGINX Plus and our support team provides installation and basic configuration technical support.

With the R11 release, you can now compile any compliant third‑party modules against the corresponding open source NGINX release and then load these modules safely into NGINX Plus.

Each release of NGINX Plus is built on top of a version of open source NGINX. Run nginx‑v to determine the matching open source version number; for NGINX Plus R11, that is NGINX 1.11.5.

$ nginx -v
nginx version: nginx/1.11.5 (nginx-plus-r11)

To compile dynamic modules, you first obtain the NGINX source code that your NGINX Plus version is based on:

$ wget http://nginx.org/download/nginx-1.11.5.tar.gz
$ tar -xzvf nginx-1.11.5.tar.gz

Then you run the configure command with the new --with-compat argument to create a standard build environment that is compatible with NGINX Plus:

$ cd nginx-1.11.5
$ ./configure --with-compat --add-dynamic-module=/path/to/module
$ make modules

For more details on compiling your own modules for operation with NGINX Plus, see Compiling Dynamic Modules for NGINX Plus on our blog.

Modules that you compile yourself (community modules, modules provided by third‑party partners, and custom modules) are not tested or supported by NGINX. If you seek technical support for a problem, the NGINX technical support team may ask you to remove an unsupported module and reproduce the fault as part of our technical support process, so that they can verify whether or not the fault is caused by the unsupported module.

Improved TCP/UDP Load Balancing

NGINX Plus R11 can support a broader range of applications with key enhancements to TCP and UDP load balancing.

SSL Server Name Routing

You can now use NGINX Plus’ TCP/UDP load balancer to load balance SSL/TLS connections without decrypting them. This is useful in a secure or high‑traffic environment where you want to forward SSL/TLS‑encrypted connections to a remote server.

With the new SSL server name preread feature, NGINX Plus R11 can inspect each incoming SSL/TLS connection and determine the target domain (such as the Server Name Indication [SNI] value) to which to route the connection.

The SSL server name is provided in the new $ssl_preread_server_name variable. It contains the name of the target host as extracted from the SNI field of the SSL/TLS handshake.

You can use the variable as the argument to the proxy_pass directive or as a field in the virtual server access log. Note that to enable this feature you must include the ssl_preread directive in the configuration, as shown in this example:

stream {
. . .
ssl_preread on;

# you can also use a more complex map{} to determine the target
proxy_pass $ssl_preread_server_name;
}

Support for Access Logging

The new Stream Log module in NGINX Plus R11 provides the same kind of access logging for TCP/UDP connections as was available in previous releases for HTTP connections. You can now log each TCP/UDP session processed by the Stream module, inspecting data rates, load‑balancing decisions, error conditions, and so on. This is a vital feature when debugging or auditing TCP or UDP transactions.

The Stream module exposes a large number of variables and all of them can be logged. You can customize the default log format, using variables in the following fashion:

log_format custom '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$upstream_session_time $upstream_addr';

Improved PROXY Protocol Support

This release makes our support for the PROXY protocol for TCP connections more comprehensive, by enabling NGINX Plus to accept TCP connections that are enhanced using the PROXY protocol.

This feature improves your ability to manage TCP connections with NGINX Plus, because you can determine the true source IP address of the connection for logging or authentication purposes.

Additional Extended Status Metrics

The Status module now reports more metrics in the stream category, including counts of the number of sessions handled and counts of various error conditions.

Along with the new access_log command in the Stream Log module, the additional metrics make it easier to monitor the behavior of TCP and UDP services and detect when there’s an unexpected rate of errors.

GeoIP2 Module for Better Geolocation

The third‑party GeoIP2 module is now certified and available to NGINX Plus users in our repository. The GeoIP2 module uses the MaxMind GeoIP2‑format databases, which provide localized names and are richer in detail than the ones used by the original GeoIP module.

To obtain the new module, run these commands (appropriate for Debian and Ubuntu):

$ apt-get update
$ apt-get install nginx-plus-module-geoip2

In the main (top‑level) context in /etc/nginx/nginx.conf, add a load_module directive for the newly installed module:

load_module modules/ngx_http_geoip2_module.so;

For further information on the GeoIP2 module, see the official GitHub page.

Enhanced nginScript Module

nginScript is the next‑generation configuration language for NGINX and NGINX Plus. With nginScript you can use familiar JavaScript syntax to perform more complex operations than are possible with the standard NGINX configuration language. This release includes a number of enhancements to nginScript.

nginScript is still a work in progress and the updates in the release point towards the final planned functionality. In this milestone, we have focused on two areas: integration with the Stream module, and broader JavaScript language support.

In the Stream module, nginScript can access several internal request processing phases in order to inspect and modify data. For example, the following nginScript code illustrates how to inspect the third message in a MySQL protocol stream and search for key patterns to identify the SQL operation:

var method = "unknown";
var client_messages = 0;

// Called by js_filter directive whenever a packet is processed in the TCP stream
function getSqlMethod(s) {
if ( !s.fromUpstream ) {
client_messages++;
if ( client_messages == 3 ) { // SQL query appears in 3rd client packet
var query_text = s.buffer.substr(1,10).toUpperCase();
var methods = ["SELECT", "UPDATE", "INSERT", "SHOW", "CREATE", "DROP"];
var i = 0;
for (; i < methods.length; i++ ) { if ( query_text.search(methods[i]) > 0 ) {
s.log("SQL method: " + methods[i]); // To error_log [info]
method = methods[i];
return s.OK; // Stop searching
}
}
}
}
return s.OK;
}

nginScript core language support has been considerably extended, with support for further built‑in objects and functions. Updates are shared on the Mercurial source repository and through the NGINX Plus package repository.

Improved Caching Performance

NGINX Plus operates a separate cache manager process that is responsible for pruning the disk cache. Under certain circumstances, the cache manager might need to delete a large number of files, for example when a large amount of memory needs to be recovered.

With the new ‘unlink throttling’ capability, you can specify a maximum rate of deletion for cached files. A lower rate can reduce the load on the underlying disk and therefore improve system performance.

The deletion rate is controlled by the new manager_files, manager_threshold, and manager_sleep parameters to the proxy_cache_path, fastcgi_cache_path, scgi_cache_path, and uwsgi_cache_path directives.

Upgrade or Try NGINX Plus

If you’re running NGINX Plus, we encourage you to upgrade to Release 11 when convenient. You’ll pick up a number of fixes and improvements, and it will help us to help you if you need to raise a support ticket. Installation and upgrade instructions can be found at the customer portal.

Note: As was previously announced, NGINX Plus R11 and later does not include the nginx‑plus‑extras package. If you are still using that package, you must instead deploy the nginx‑plus package and dynamically load the additional modules you require from the NGINX Plus module repository.

If you’ve not tried NGINX Plus, we encourage you to try it out for web acceleration, load balancing, and application delivery, or as a fully supported web server with enhanced monitoring and management APIs. You can get started today with a free 30‑day evaluation and see for yourself how NGINX Plus can help you deliver and scale out your applications.

NGINX recognized by Gartner in 2016 Magic Quadrant for Application Delivery Controllers

Everything you need to know about choosing the right ADC